Congress enacted the Digital Millennium Copyright Act (the "DMCA" or "the
Act")(1) as part of an effort "to begin updating
national laws for the digital era."(2) It was
designed to "facilitate the robust development and world-wide expansion of
electronic commerce, communications, research, development, and education
in the digital age."(3)

The DMCA seeks to advance two mutually supportive goals: the protection
of intellectual property rights in today's digital environment and the promotion
of continued growth and development of electronic commerce.(4)
The Act attempts to accomplish these priorities through, inter alia,
the interaction of two carefully crafted imperatives. First, as a means of
preventing the theft of copyrighted works, the Act affords copyright owners
legal protection and remedies against unauthorized circumvention of technological
measures employed to prevent unauthorized access to copyrighted works.(5)
Second, the DMCA seeks to encourage legitimate research activities (some involving
acts of circumvention of such technological measures) that will advance the
state of the art in encryption technology, the foundation on which these measures
are based and on which electronic commerce is supported.(6)

Title I of the DMCA implements the first imperative by creating a new prohibition
against the act of circumventing technological measures that effectively control
access to a copyrighted work. The prohibition, found in section 1201(a)(1)(A),
takes effect October 28, 2000, two years from the date of enactment of the
Act.(7)

Section 1201(g) of the DMCA implements the second imperative by exempting
from the new prohibition certain good faith activities of circumvention when:
(a) the person circumventing the protection system lawfully obtained the encrypted
copy of the work; (b) circumvention is necessary to conduct the "encryption
research;"(8) (c) the person circumventing
the protection system made a good faith effort to obtain authorization from
the copyright owner of a work protected by a technological measure prior to
the circumvention; and (d) such circumvention does not constitute copyright
infringement or a violation of any otherwise applicable law. The Act also
lists factors to be considered when determining whether a person qualifies
for the exemption.(9)

Section 1201(g) also requires the Register of Copyrights and the Assistant
Secretary for Communications and Information to report to Congress on the
effects that this exemption has had on

encryption research and the development of encryption technology; the adequacy
and effectiveness of technological protection for copyrighted works; and protection
of copyright owners against the unauthorized access to their encrypted copyrighted
works.(10) In order to assist the Copyright
Office and the National Telecommunications and Information Administration
("NTIA") in developing a factual basis for this report, on May 27, 1999, the
two agencies published a request for public comment in the Federal Register.(11)

Part I of this report presents a brief review of the legislative background
of Section 1201(g). Part II summarizes the substance of the public comments
received by the Copyright Office and NTIA. Part III concludes that it is premature
to draw any conclusions or make any legislative recommendations at this time.

PART I - THE EXCEPTION FOR ENCRYPTION RESEARCH

A. Legislative History

During Congressional consideration of the DMCA, legislators were concerned
that the prohibition on circumvention of access control measures set forth
in Section 1201(a) might have unintended adverse consequences. Of particular
concern was the possibility that the prohibition could chill legitimate research
and testing in the field of encryption research, specifically inquiries that
targeted flaws and vulnerabilities in cryptographic systems for controlling
access to copyrighted works.(12) Given the
importance of encryption technology in protecting copyrighted works and promoting
electronic commerce generally, each of the three committees to which the bill
was referred considered the impact its actions would have on research efforts.

Disagreement existed as to whether the prohibition did in fact pose a threat
to encryption research. The Senate Judiciary Committee concluded that section
1201 did not pose any threat to legitimate encryption research.(13)
The House Judiciary Committee similarly reported a bill from Committee without
an exception to section 1201 for encryption research.(14)
By contrast, the House Commerce Committee, to which the bill was sequentially
referred in the House, concluded that clarification was needed to ensure that
encryption research would not be affected adversely.(15)
At full Committee mark-up, the House Commerce Committee adopted an amendment
creating a limited exemption from the anti-circumvention prohibition for encryption
research that was ultimately enacted as subsection (g) of section 1201.(16)

B. The Encryption Research Exception in Section 1201(g)

Section 1201(g) creates two exceptions to the prohibitions contained in
section 1201(a), the first to permit the act of circumventing in the course
of legitimate, good faith encryption research, and the second, to permit the
sharing of tools used to perform such research.

(i) Permissible acts of encryption research.Section 1201(g)(2) creates an exception to section 1201(a)(1)(A) to permit
an individual to circumvent a technological measure in the course of an act
of good faith encryption research provided four elements are satisfied:

(A) the person lawfully obtained the encrypted copy, phonorecord, performance,
or display of the published work;

(B) such act is necessary to conduct such encryption research;

(C) the person made a good faith effort to obtain authorization before
the circumvention; and

(D) such act does not constitute infringement under this title or a violation
of applicable law other than this section, including section 1030 of title
18 and those provisions of title 18 amended by the Computer Fraud and Abuse
Act of 1986.(17)

As a practical matter, this exception is not yet in force as it is a defense
to a violation of the prohibition on acts of circumvention - a prohibition
that will not go into force until October 28, 2000.

The subject of the exception - "encryption research" - is defined in section
1201(g)(1)(A) as "activities necessary to identify and analyze flaws and vulnerabilities
of encryption technologies applied to copyrighted works, if these activities
are conducted to advance the state of knowledge in the field of encryption
technology or to assist in the development of encryption products."(18)
This definition prescribes the nature of the permitted activities -- i.e.,
activities to identify and analyze flaws and vulnerabilities of encryption
technologies. Moreover, it limits those activities to ones carried out for
specified purposes -- i.e., to advance the state of knowledge in
the field or to assist in product development.

Section 1201(g)(3) sets forth three nonexclusive factors to be used when
determining whether a person qualifies for the exemption:

(A) whether the information derived from the encryption research was disseminated,
and if so, whether it was disseminated in a manner reasonably calculated
to advance the state of knowledge or development of encryption technology,
versus whether it was disseminated in a manner that facilitates infringement
under title 17, United States Code, or a violation of applicable law other
than this section, including a violation of privacy or breach of security;

(B) whether the person is engaged in a legitimate course of study, is employed,
or is appropriately trained or experienced, in the field of encryption technology;
and

(C) whether the person provides the copyright owner of the work to which
the technological measure is applied with notice of the findings and documentation
of the research, and the time when such notice is provided.(19)

(ii) Use of technological means for research activities. Section 1201(g)(4) creates an exception to the prohibition on circumvention
tools in section 1201(a)(2). The exception permits a researcher to develop
and use a circumvention technology, to share such technology with a project
collaborator, or to share such technology with someone verifying the researcher's
work. Unlike the exception for acts of encryption research, this exception
is presently operative, as the underlying prohibition came into force immediately
upon enactment of the DMCA. As of this writing, there is only one reported
case in which section 1201(g)(4) has been raised as a defense.(20)

PART II -- SUMMARY OF PUBLIC COMMENTS CONCERNING THE EXEMPTION FOR
ENCRYPTION RESEARCH

As noted above, on May 27, 1999, the Copyright Office and NTIA issued a
joint Federal Register notice soliciting public comment on the effects of
section 1201(g) of the DMCA on encryption research and the development of
encryption technology; the adequacy and effectiveness of technological measures
designed to protect copyrighted works; and the protection of copyright owners
against unauthorized access to their encrypted copyrighted works.(21)
Presented below is a summary of the substantive issues raised in the 13 responses
submitted during the comment period.

A. Section 1201(g)(1)(A)

Section 1201(g)(1)(A) of the DMCA defines "encryption research" as follows:

[A]ctivities necessary to identify and analyze flaws and vulnerabilities
of encryption technologies applied to copyrighted works, if these activities
are conducted to advance the state of knowledge in the field of encryption
technology or to assist in the development of encryption products.(22)

As discussed earlier, this definition seeks to limit the scope of the encryption
research exception by not only describing the nature of permitted activities,
but also restricting them to ones engaged in for delineated purposes. Commentators
took exception to the manner in which this definition was crafted, expressing
conflicting concerns regarding its scope. While it was suggested that the
definition was so vague as to be of little interpretive or probative value,(23)
one commentator found it too restrictive as some research would not fall neatly
into the qualifiers presented.(24) Yet another
commentator argued that section 1201(g) in its entirety would likely have
no "discernable adverse effect on encryption research," and was"narrowly-crafted"
and "well-balanced."(25)

B. Section 1201(g)(2)(C)

Section 1201(g)(2)(C) provides that, in order to engage in a permissible
act of encryption research, a researcher must make a "good faith effort" to
obtain authorization from the copyright owner of the content protected by
a technological measure before undertaking a circumvention activity.(26)
The legislative history of this section indicates that no requirement exists
mandating that the researcher actually obtain authorization from the copyright
owner. All that is required is a "good faith effort" in order to qualify for
the exemption.(27) Commentators have, however,
expressed varying and often times conflicting concerns about this standard.
One commentator suggested that the requirement of a "good faith effort" to
obtain authorization for an attempted circumvention of a technological measure
should not automatically preclude an individual from testing the measure if
such authorization were denied, "so long as the act of circumvention otherwise
qualifies for the exception."(28) Several
suggested that the standard is vague and impractical,(29)
as it is unclear what steps must be undertaken to avoid liability under this
subsection and from whom exactly authorization is to be sought.(30)

One commentator questioned why this standard was included at all, arguing
that it was "not evident what advantage the copyright holder gains by such
notice requirements except to discourage research, since there is no requirement
that permission actually be obtained."(31)

Some commentators supported the good faith effort standard, albeit when
coupled with a restructuring of section 1201(g)(3) and the promulgation of
regulations that prohibit, among other actions, dissemination of research
to anyone or entity that may further deploy that research in a manner that
is adverse to the copyright owner's interests.(32)
In so doing, it was argued that an environment would be fostered in which
copyright owners could trust that their creative contributions would be adequately
protected and that any research would be truly directed at studying the flaws
and vulnerabilities of encryption technology for the benefit and protection
of the copyright owner.(33) Another commentator
urged imposing a requirement that researchers obtain "actual written notice"
from the owner of the "encryption system."(34)
In addition, as a condition to being granted permission by the owner, the
researcher should "agree not to disclose any facts about the technological
results," given that, in the absence of such a non-disclosure agreement, the
ability to break an encryption system would invariably become widely known.
Such a non-disclosure agreement should be considered a reasonable condition
of a grant of authorization.(35)

C. Section 1201(g)(3)

Section 1201(g)(3) sets forth three nonexclusive factors that a court might
consider in determining whether a person qualifies for the exemption. First,
under subsection 3(A), the court must decide whether the information derived
from the encryption research was disseminated, and if so, whether this was
accomplished "in a manner reasonably calculated to advance the state of knowledge
or development of the encryption technology," rather than in a manner that
facilitated possible copyright infringement or other violation of the law.
One commentator argued that this provision would have a chilling effect on
research as it "posits a false dichotomy, that the dissemination of cryptographic
research either advances the state of knowledge or it facilitates infringement
-- but not both."(36) Other commentators were
concerned that this provision could expose lawful encryption researchers to
legal liability.(37)

The second factor, set forth in subsection 3(B), is whether the encryption
researcher is engaged in a legitimate course of study, is employed or trained
or is experienced in the field of encryption.(38)
Commentators were concerned that, because cryptographers are often self-taught
and learn by exchanging information informally with other members of the online
community, this provision would inhibit a critical segment of the research
community from participating in the study of encryption technology, limiting
the study only to academics and professional information security consultants.(39)
Supporters of these provisions advised that the measure could be improved
by making the terms narrower in meaning and application.(40)
The measure could be limited to researchers in the academic community, government
researchers, and to private and commercial researchers.(41)

The final factor for consideration, set forth in subsection 3(C), is whether
the encryption researcher provided the copyright holder notice and documentation
of research results.(42) One commentator expressed
concern that, in so doing, the researcher may be forfeiting rights to a potential
patent or trade secret protection.(43) In
addition, a researcher who notifies a copyright owner of vulnerabilities,
may in the process, inadvertently provide hackers with that information and
therefore become liable under the statute. Given this, commentators argued
that this provision may deter encryption researchers from making system weaknesses
publicly known out of concern that such actions may lead to legal action.(44)
Several commentators also noted that this factor, along with rest of section
1201, could impose a paperwork burden on the researcher.(45)

PART III -- CONCLUSION

Of the 13 comments received in response to the Copyright Office's and NTIA's
solicitation, not one identified a current, discernable impact on encryption
research and the development of encryption technology; the adequacy and effectiveness
of technological protection for copyrighted works; or protection of copyright
owners against the unauthorized access to their encrypted copyrighted works,
engendered by Section 1201(g). Every concern expressed, or measure of support
articulated, was prospective in nature, primarily because the prohibition
and its attendant exceptions will not become operative until October 28, 2000.
Given the forward-looking nature of the comments and the anticipated effective
date of the section at issue, any conclusion would be entirely speculative.
As such, we conclude that is it premature to suggest alternative language
or legislative recommendations with regard to Section 1201(g) of the DMCA
at this time.

2. H.R. Rep. No. 105-551, pt. 2, at 21 (1998). The objective
of Title I of the DMCA was to revise U.S. copyright law to comply with two
recent World Intellectual Property Organization treaties and to strengthen
copyright protection for motion pictures, sound recordings, computer software
and other copyrighted works in electronic formats.

4. H.R. Rep. No. 105-551, pt. 2, at 23 (1998). "A thriving
electronic marketplace provides new and powerful ways for the creators of
intellectual property to make their works available to legitimate consumers
in the digital environment. And a plentiful supply of intellectual property
-- whether in the form of software, music, movies, literature, or other works
-- drives the demand for a more flexible and efficient electronic marketplace."
Id.

5. "Due to the ease with which digital works can be copied
and distributed worldwide virtually instantaneously, copyright owners will
hesitate to make their works readily available on the Internet without reasonable
assurance that they will be protected against massive piracy. Legislation
implementing the [World Intellectual Property Organization treaties on copyright
and on performers and phonograms] provides this protection and creates the
legal platform for launching the global digital on-line marketplace for copyrighted
works." S. Rep. No. 105-190, at 8 (1998). The DMCA implements these treaties,
"bringing U.S. copyright law squarely into the digital age and setting a marker
for other nations who must also implement these treaties." Id. at
1.

6. Technological protection measures for copyrighted works
are a subset of technologies to ensure the security, privacy, and authenticity
of information and communications on digital networks that frequently are
based upon encryption technology. Given this, the research and testing that
advance that field of learning are essential to electronic commerce. See
generally H.R.Rep. 105-551, pt. 2, at 27 (1998).

7. The prohibition on circumventing access control measures
is set forth in 17 U.S.C. § 1201(a)(1)(A), which provides in pertinent part,
that "[n]o person shall circumvent a technological measure that effectively
controls access to a work protected under this title." The DMCA also makes
it illegal for a person to manufacture, import, offer to the public, provide,
or otherwise traffic in any technology, product, service, device, component,
or part thereof, that (1) is primarily designed or produced to circumvent
a protection or technological measure that effectively controls access to
a work protected by copyright; (2) has only a limited commercially significant
purpose or use other than circumvention of such measures; or (3) is marketed
for use in circumventing such measures.
17 U.S.C. §§ 1201(a)(2).

8. 17 U.S.C. § 1201(g)(2). "Encryption research" encompasses
those activities necessary to identify and analyze flaws and vulnerabilities
of encryption technologies applied to copyrighted works, if these activities
are conducted to advance the state of knowledge in the field of encryption
technology or to assist in the development of encryption products.17
U.S.C. § 1201(g)(1)(A).

13. The Senate Judiciary Committee noted that "[t]he
goals of section 1201 would be poorly served if these provisions had the undesirable
and unintended consequence of chilling legitimate research activities in the
area of encryption. It is the view of the Committee, after
having conducted extensive consultations, and having examined a number of
hypothetical situations, that Section 1201 should not have such an unintended
negative effect." S. Rep. No. 105-190, at 15 (1998).

15. The specific factor cited by the Commerce Committee
as necessitating an exception was the desirability of studying encryption
systems as they are actually used. The Committee noted that "[i]n many cases,
flaws in cryptography occur when an encryption system is actually applied.
Research of such programs as applied is important both for the advancement
of the field of encryption and for consumer protection. Electronic commerce
will flourish only if legitimate encryption researchers discover, and correct,
the flaws in encryption systems before illegitimate hackers discover and exploit
these flaws. Accordingly, the Committee has fashioned an affirmative defense
to permit legitimate encryption research." H.R. Rep. No. 105-551, pt. 2, at
27 (1998).

19. 17 U.S.C. § 1201(g)(3). The report of the House Commerce
Committee describes the purpose of section 1201(g)(3) as assisting courts
in "distinguishing between a legitimate encryption research [sic] and a so-called
'hacker' who seeks to cloak his activities with this defense. [This section]
therefore contains a non-exhaustive list of factors a court shall consider
in determining whether a person properly qualifies for the encryption research
defense." H.R. Rep. No. 105-551, pt. 2, at 44 (1998). The Conference Report
added a further clarification, providing that "section 1201(g)(3)(A) does
not imply that the results of encryption research must be disseminated. There
is no requirement that legitimate encryption researchers disseminate their
findings in order to quality [sic] for the encryption research exemption in
section 1201(g). Rather, the subsection describes circumstances in which dissemination,
if any, would be weighed in determining eligibility." H.R. Rep. No. 105-796,
at 66 (1998).

20. See Universal City Studios, Inc. et al. v. Shawn
C. Reimerdes, et al., 00 Civ. 0277 (LAK), (preliminary injunction
granted against three defendants, programmers who had posted a DVD descrambling
program to their World Wide Websites, as well as the owner of an Internet
provider whose customer had made the program available online) (S.D.N.Y. Feb.
2, 2000).

21. The Digital Millennium and Copyright Act, Federal
Register Request for Comments Notice, 64 Fed. Reg. 28802, (1999). The comments
that were received during the comment period are available at the Register
of Copyrights, Index of Submissions (visited March 20, 2000) <http://www.copyright.gov/reports/studies/comments.html>
and at the National Telecommunications and Information Administration, Index
of Comments (visited March 20, 2000) <http://www.ntia.doc.gov/ntiahome/occ/dmca/commentsindex.htm>
. Two additional sets of public comments were received after the comment period
closed and can be identified by the date cited in their first reference herein.
All comments received in response to the request are attached hereto as Appendix
1.

23. One commentator thought it ill-advised to define
"encryption research" by attempting to link it to a determination that the
research activity "advance the state of knowledge" or "assist in the development
of encryption technology." The commentator suggests that "it will be very
difficult to prove what the purposes are of any particular instance of defeating
copyright protection. A criminal may claim that he intended to disseminate
his results or a legitimate researcher who delays publication while he gathers
more data may find himself accused of criminal actions." See Comments
of Hal Finney (Finney Comments) (July 12, 1999).

24. One commentator noted that Section 1201(g)(1)(A)
as drafted would not necessarily include activities "involving the examination
of the encryption to determine its strength." This type of inquiry was described
as key to "understanding the potential risk of exposure" for anyone using
that algorithm. See Comments of theAssociation
of Computing Machinery (ACM Comments) (Aug. 3, 1999).

26. See generally H.R. Rep. 105-551, pt. 2,
at 44 ("Section [1201(g)] prohibits circumvention without the authorization
of the copyright owner . . . ."); S. Rep. No. 105-190, at 33 ("[Subsection
1201(g)] permits a software developer to circumvent an access control technology
applied to a portion or portions of a program in order to perform the necessary
steps to identify and analyze information necessary to achieve interoperability
. . . [however], each of the acts undertaken must avoid infringing the copyright
of the author of the underlying computer program").

29. "Section 1201(g)(2)(B) mandates a 'good faith effort'
without adequate definition as to what that means." See ACM Comments;
see generally Comments of David Wagner (Wagner Comments) (May 27,
1999). Another commentator expressed concern about whether attempting to obtain
such consent and having the request denied would constitute the requisite
"good faith effort." See Comments of Jonathan D. Callas (Callas Comments)(July
27, 1999).

30. "The net result is that these provisions [of Section
1201(g)(2)] carve out an exception that is loaded with traps, where inadequate
documentation can lead to criminal penalties, and where illogical actions
are required for no purpose. This is sure to drive many qualified researchers
from the field." See Finney Comments. "Under Section 1201(g)(2)(C),
a person who intends to circumvent a 'technological measure,' as that term
is used in the Act, must make 'a good faith effort to obtain authorization
before the circumvention,' presumably from the owner of the underlying copyright."
See EMusic.com Comments. Another commentator noted that the distinction
between general encryption systems and copyright enforcement systems is currently
unclear, and will likely become more so in the future. "A particular encryption
algorithm or program may be put to a variety of uses, and there are likely
to be numerous parties (hundreds or even thousands) using any given system
(or aspect of a system) that an encryption researcher wishes to test for flaws
and vulnerabilities. The Act could be interpreted to require the researcher
to try to obtain permission from each of them. Therefore it may not be feasible,
practical, or even possible for some researchers to make this 'good faith
effort.'" See Comments of the Computer & Communications Industry
Association (CCIA Comments) (July 27, 1999). One other commentator expressed
concern regarding obtaining authorization from the owner or vendor of an encryption
system. See ACM Comments.

31. See CCIA Comments. Another commentator,
who also questioned the propriety and usefulness of this standard, described
the provision as "bizarre" and "illogical," noting that "whether the authorization
is granted or not makes no difference, but nevertheless the researcher is
required to seek authorization." This commentator also expressed concern that,
in the case where the copyright holder is not known or reachable, the researcher
is left to "guess" at what constitutes a "good faith effort" in trying to
seek permission. See Finney Comments.

32. This commentator also suggested that researchers
should also be required to provide to the copyright owner or representative
upon whose work the research was performed, a list of all those to whom the
research was disseminated and a certification that the person to whom the
research is being supplied is not believed to be seeking the information for
purposes adverse to the copyright owner's interest. See Comments
of the American Society of Composers, Authors and Publishers (ASCAP Comments)
(July 26, 1999).

34. This commentator posits that there would be "no reason
to suppose that owners of encryption systems would be unwilling to authorize
legitimate researchers to test for weaknesses in the encryption systems. Leaving
the criterion, however, at merely making a good faith effort to obtain authorization
could allow for illy motivated 'researchers' to meet this qualification by
sending off (or even claiming to send off) a letter, a fax or an e-mail which
does not reach its destination. On the other side of this coin, such a requirement
would impose on the owner of the encryption system a burden of attending to
its mail, fax and e-mail communications with more speed than it may be able
to muster." See Comments of Time Warner Inc. (Time Warner Comments)
(July 26, 1999) (citation omitted).

36. This commentator argued that "it is virtually impossible
to distinguish between these two effects, and equally impossible for persons
with legitimate intentions to know with any reasonable degree of certainty
whether they will be accused of falling on the wrong side of this (non-existent)
line. The effect of this uncertainty will be to deter persons who are seeking
to make information available about specific weaknesses in cryptographic implementations,
even when their intention is solely to draw attention to the deficiencies
of a proposed standard." See EMusic.com Comments.

37. One commentator was concerned that this provision
may require the researcher to guarantee that all persons to whom s/he disseminates
her/his findings will use the information responsibly. It was suggested that
this factor be clarified so that an individual could benefit from the exception
so long as "he or she disseminates the results of his or her research without
any apparent intention of facilitating infringement, as judged by the surrounding
circumstances." Id.See generally, Finney Comments ("These
provisions further increase the uncertainty and risks which will be faced
by researchers. Not only his intentions are being judged, but the judgement
[sic] criteria are left vague and menacing").Another commentator
was concerned that "[i]f I decide to publish, I have to worry about the threat
of retaliation from those trying to sell the flawed system. Whether or not
I would eventually win in court, the threat of having to spend time and money
on a lawsuit is enough to make me tend to shy away from studying copyright
protection. I already have to worry about this threat, but 1201(g) makes the
threat much worse: it places some of the burden on proof on me to demonstrate
that I was proceeding in 'good faith' (whatever that means), etc." See
Wagner Comments.

39. See generally ACM Comments; Emusic.com Comments;
Comments of Kroll O'Gara Information Security Group (July 26, 1999); Wagner
Comments. In addition, one commentator found it "absurd" that criminal penalties
could attach to a person engage in encryption research based on "whether a
judge views the researcher as having adequate training, experience, and employment."
This commentator noted that encryption development is a "fast-moving field
and many of the most creative results have come from individuals without formal
training in cryptography." See Network Associates, Inc. Comments.

40. See Comments of Broadcast Music, Inc. (July
27, 1999); see also Time Warner Comments.

44. One commentator expressed additional concerns that
this section was unclear as to potential criminal liability should a researcher
delay publication of results while gathering additional data. See
Network Associates Comments. See also, Callas Comments.